Software Engineering Institute

Insider threat programs look for early warning signs of potential insider threats by applying analytics to various data sources to identify indicators of concerning behavior. The analytics used in these programs vary in capability from simple to complex. A method to classify these various levels of analytic capabilities can help insider threat program decision makers select and prioritize analytic requirements for detecting and preventing insider threats.

Many attempts at classifying analytics are too broadly scoped because they try to determine what potential indicators are without first understanding how indicators transition as they move through various stages in the data model.

In this paper, we explain how data transformation mappings are used to refine which analytics apply to which transform. Using this model, we can refine what an analytic means for insider threat indicators. We discuss the dimensions that make up the analytic space; from those dimensions, we develop a cost matrix that an insider threat program can use to prioritize analytic indicator development. We provide examples of how the data transforms, and the cost matrix helps clear up some confusion about current insider threat analytic development.